Despite years of research, nobody knows how to provide evidence of an accurate result while keeping individual online votes private.

Internet voting is similar to online banking, except you're not sent a receipt saying "this is how you voted" because then you could be coerced or bribed. Your vote should be private, even from the electoral commission.

There are three reasons why Australia shouldn't move to an online voting system:

the system might not be secure;

the code might not be correct; and, most importantly,

if something goes wrong, we might never know.

The system might not be secure

Computer security researcher Alex Halderman and I (Vanessa) found a serious security vulnerability in the NSW iVote system during March 2015 election. This was caused by some code imported into the secure voting session from an insecure third-party server. It meant an internet-based attacker could have exposed e-votes, changed them, and circumvented iVote's verification process.

The vulnerability was repaired, but by that stage, 66,000 votes were cast. Just 3,000 votes determined the result of a disputed seat in the Legislative Council. There is no evidence that the security hole was exploited, but also no evidence that it was not.

Some iVote returns differed notably from those cast by more secure channels. The ALP received about 30% of the votes on paper in the Legislative Council, for instance, but only 25% via iVote. The NSW Electoral Commission (NSWEC) blamed these differences on a user interface design problem, but it might also have been a software error or a security breach.

The code might not be correct

The main use of computers in Australian elections is for counting complicated elections like the Senate and the upper houses of state parliaments. We've had the opportunity to inspect some of the code and some of the data. We've also found some bugs - which is a good thing, because then they can be fixed.

This wasn't the case in the 2012 local government elections in Griffith, NSW. Last week, with Andrew Conway and others, we identified a software error leading to a mistake in the 2012 results computed by the NSW Electoral Commission. The software error incorrectly distributed preferences, which meant candidate Rina Mercuri lost a spot on the Griffith council. Without the error, she would have won with a probability of about 91%.

The Australian Electoral Commission very recently purchased a new "Senate counting solution" from the same vendor that made iVote. But the code is unavailable to Australian public scrutiny, despite a Freedom of Information request and a Senate motion ordering the commission to publish it. The code should be made public, and the paper ballots should be available for auditing.

We'd expect a similar rate of error for internet voting code as counting code, but iVote's code is not available for review. More importantly, there's no simple way for an outsider to double-check the process.

If something goes wrong, we might never know

With no official account of the iVote run, and no public independent report, we cannot tell whether votes were changed or lost in the 2015 NSW election.

iVote had a limited verification mechanism: voters could ring a special service, enter their receipt number and have their vote read back to them.

An attacker who changed the vote could change the receipt number too, so the voter couldn't retrieve any vote from the verification service. But the same would happen if voters simply forgot their receipt numbers, or if votes were accidentally lost due to a software bug.

Some 1.7% of electors who voted using iVote® also used the verification service and none identified any anomalies with their vote.
But there must have been people who telephoned the verification service, but couldn't retrieve any vote at all. The real question is: of those who tried to verify, what fraction failed?

How electronic voting can work: in a polling place

Secure electronic voting is possible - in a polling place. One simple method to check the accuracy of the process is to print a plain paper ballot that a voter can read and check.

Another method is an "end-to-end verifiable" election system. We worked with the Victorian Electoral Commission to develop the the first such system to run at a state level anywhere in the world.

Under this system, voters cast their votes at polling places using a computer. The system provided evidence to each voter that their vote was recorded as they intended and properly included in the count. It also provided evidence to scrutineers that all the votes were properly processed, without revealing individual votes.

The processes allowed votes to be returned electronically from London with evidence that they were correct, rather than shipping the ballot papers.

Why was it restricted to a polling place? Partly because large-scale voter coercion and identity fraud are harder. Most importantly, because voters can get help to follow the complicated verification process.

Lessons learnt:

Election commissions must produce verifiable evidence that the winning candidates were chosen fairly, based on reliable and secure vote-casting and correct vote-counting.

The lesson from the bugs in the ACT and NSWEC vote-counting code is clear: make the computer code available for public inspection so that we can scrutinise it for errors before the election.

Receiving votes from the internet is the easy part. Proving that you got the right result, while keeping votes private, is an unsolved problem.

Disclosure statement:

Vanessa Teague receives funding from the Australian Research Council and The University of Melbourne. She is an advisory board member of Verified Voting (http://www.verifiedvoting.org/), which advocates for legislation and regulation that promotes accuracy, transparency and verifiability of elections

Chris Culnane receives funding from the Australian Research Council, and has previously received funding from The Engineering and Physical Sciences Research Council (UK), The University of Surrey, The Higher Education Funding Council England, and InnovateUK. He was the Technical Lead for the University of Surrey on the vVote project, which designed, developed, and ran an open source end-to-end verifiable election system in the State of Victoria, Australia. Whilst at the University of Surrey he was part of the ICURe Innovation-to-Commercialisation programme that lead to the starting of Coasca Limited, but has no ongoing financial interest.

Rajeev Gore receives funding from the Australian Research Council, the Australian National University, and the German-Australian Research Collaboration Scheme.